CVE-2025-22510

High

Published: 09 January 2025

Published

09 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.1476 94.5th percentile

Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Description

Deserialization of Untrusted Data vulnerability in kkarpieszuk WC Price History for Omnibus wc-price-history allows Object Injection.This issue affects WC Price History for Omnibus: from n/a through <= 2.1.4.

Security Summary

CVE-2025-22510 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the WordPress plugin WC Price History for Omnibus by kkarpieszuk, which allows Object Injection. The issue affects the plugin from n/a through version 2.1.4.

The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). It can be exploited over the network with low complexity by authenticated users with high privileges, such as administrators. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wc-price-history/vulnerability/wordpress-wc-price-history-for-omnibus-plugin-2-1-4-php-object-injection-vulnerability?_s_id=cve) documents this PHP Object Injection vulnerability in plugin version 2.1.4.

Details

CWE(s): CWE-502

References

https://patchstack.com/database/Wordpress/Plugin/wc-price-history/vulnerability/wordpress-wc-price-history-for-omnibus-plugin-2-1-4-php-object-injection-vulnerability?_s_id=cve
audit@patchstack.com